Apache, php and linux file permissions

[calebb]

So the python code will monitor /var/www/temp folder for a <username>.lock file with the hashed password inside

If found, it takes the username from the filename, and the hashed password inside, executes the sed command (sed -i "s/$username $oldpw/$username $newpw/" <file>) then deletes that lock file?

If I am missing anything, lemme know.

Can this be done with PHP or Perl? Rather than python or ruby? heh

What owner/group will be of the temp folder? and what chmod should I have it as?

You cannot use perl or php since those programs have 'timeouts' - they can only run for a certain amount of time and then they will stop running. Python is a very easy language to learn - especially if you are familiar with programming in general. Just find some intro python tutorials and steal a sample program. Even better, you cn just type "python" and start running python commands line-by-line to test them.... But with Python you can set a program to continue running forever - perhaps a 1 sec sleep between checking the /temp folder.

The permissions for the temp folder depend on the ownership. Apache is run by the www-data user. So if the www-data user is the owner of the temp folder, then you would be fine with 700 or 755 access. Now, if www-data is not the owner of that folder, you would check to see if the w www-data user was a member of the group that owns the temp folder.... if it was... 775 or 770. If none of the above, 777 would be ok.
My advice: chgrp the /temp directory to the same as the /www directory. chown the /temp directory to the www-data. Use 775. Actually, I would need to do some more research, but you might want to skip execute permission - 665 or 660 - that way if someone manages to save malicious code to that directory, it cannot be executed. But that might be security overkill...


Other than that, it sounds like you have a good plan-of-action! I'm surprised nobody else has chimed in with their 2 cents - but this method looks very secure to me and should keep you dc++ node safe

 

[DangerIsGo]

So with this, theres no way foreign users can attempt to run malicious stuff on my server?

root/root owns /var/www and its chmodded to 755

And how do i create a file with a variable in PHP? I tried this but it didnt work:

fopen("/temp/$u.lock", 'w');


I have absolutely no idea how to write python so i have noi dea how to check a folder for a file nor read from a file

Can i execute a sed statement from python?

 

[calebb]

So with this, theres no way foreign users can attempt to run malicious stuff on my server?

root/root owns /var/www and its chmodded to 755

And how do i create a file with a variable in PHP? I tried this but it didnt work:

fopen("/temp/$u.lock", 'w');


I have absolutely no idea how to write python so i have noi dea how to check a folder for a file nor read from a file

Can i execute a sed statement from python?

With IT security...never say never

We are minimizing risks. With this setup, if someone was able to compromise your Apache service (which is a vulnerable target since it accepts traffic from the Internet), they would not be able to use that as a vector to take over your entire PC without a lot more work.

Python is very easy to write:

open a file - call it whatever you want.py i.e., perm_edit.py

Now go to a python tutorial site and just start copying/pasting code that will let you open a file, read the name to a variable, read the contents to a variable and then execute a shell command based on those two variables.

And then you want to put the entire program in a loop that repeats after a 1000ms sleep.

I'm thinking your program will be ~6 lines. Maybe 10 at the most. Like I said before, you can hire me to write it but you will be absolutely amazed when you see how easy it is. Python is like "pseudo-code" - it's very human-readable!

To execute it, you will create a file in your rcN.d directory (where N=3,4,5,6 - whichever is the 'multiuser' run level - I always forget - just look for the one with all the S's and not many K's leading the filename - the directories are all in /etc/ "ls /etc |grep rc" Anyway, duplicate one, give it a unique number, start it with a capital S, and change the contents to : /usr/whereverpytonis/python perm_edit.py

Now your script will start automagically when linux boots up.

yes you can execute sed from Python - either by executing a shell command or using the Python built-in sed library.

 

[DangerIsGo]

And how do i create a file with a variable in PHP? I tried this but it didnt work:

fopen("/temp/$u.lock", 'w');

 

[calebb]

And how do i create a file with a variable in PHP? I tried this but it didnt work:

fopen("/temp/$u.lock", 'w');

"root/root owns /var/www and its chmodded to 755"

Change permissions to 777 or change ownership to www-data.

Changing the ownership is probably the way you should do this.

Remember, apache is running just like it was "logged in" as www-root. You just said that it is owned by root and every (i.e., the "third" digit in the permission is 5 which is read+execute but no write).

 

[DangerIsGo]

if write is not enabled, how can i write .lock files to /var/www/temp? and when you said


Change permissions to 777 or change ownership to www-data

is that for /var/www or /var/www/temp?

 

[calebb]

if write is not enabled, how can i write .lock files to /var/www/temp? and when you said


Change permissions to 777 or change ownership to www-data

is that for /var/www or /var/www/temp?

That would be for wherever you are trying to write the file to.

It should be /var/www/temp - sorry I misread your fopen command and I didn't see that you already had /temp.

So it /var/temp already owned by www-data and 7xx permissions?

edit: I see: /temp/ is your problem - change it to /var/www/temp or just temp/ (this line: fopen("/temp/$u.lock", 'w'); ) - as it is, it's trying to write to /temp/ not /var/www/temp/

 

[DangerIsGo]

/var/www is root/root and chmod to 755


/var/www/temp is the new folder i created. what owner should be that folder and what chmod?

 

[calebb]

/var/www is root/root and chmod to 755


/var/www/temp is the new folder i created. what owner should be that folder and what chmod?

I could just tell you, or I could give you choices to help you understand why for future reference


UNIX File Permissions:

1 = Execute
2 = Write
4 = Read
Now, you add up the permissions you want to get a number between 0 and 7
7 = read, write, execute. Execute is not just for executing programs - I (believe) it is required do do a directory listing (ls).

Now, your number from 0-7 goes in one of three places: Owner, Group, Everyone else who as an account on that system.

700 = Folder owner has full access, nobody else has any access.
070 = Anyone who is a member of the group that owns that folder has full access, nobody else has permissions.
007 = Everyone who has an account on the system has full permissions.


Now - your web server is running "as" the user www-data. So you want to make sure that www-data is somehow able to write a new file to that folder. You actually don't care about executing or doing an ls from that folder. So you would want at least write access (2) for either the owner (if the folder is owned by www-data) or the group (if www-data is a member of the "group" that owns that folder), or if nothing else, everyone.

My recommendation is to make the /var/www/temp folder owned by www-data so you can just do 200 permissions. But, for your own sanity, you could go ahead and make the permissions 777 for now while you test your application and then when you are done testing, change it to 200 and see if it still works ok.

You also might want to handle a possible exception: the file already exists. (in case a user manages to click submit twice in less than 1 second)